Suncorp – Agile and Internal Audit

Suncorp: The Suncorp Group provides general insurance, banking, life insurance, superannuation and investment services, across Australia and New Zealand. Within the Group, the Internal Audit Department assists Suncorp’s Board, and Management achieve their objectives by independently evaluating and reporting on the effectiveness of risk management, controls and governance processes. Internal Audit engages with all levels and areas across the Group, and is accountable to the Suncorp Board.

The Problems:

The key challenge facing the Internal Audit department was delivering on a large portfolio of complex audits, within a dynamic environment. This was compounded by the challenge of managing a team of people across several locations who are working on multiple projects across six portfolios, while ensuring effective information sharing.

It was difficult to ascertain transparency of individual audit progress, and visibility of the delivery of the overall, annual audit plan. Audits that were impacted by similar issues were difficult to identify, and unable to leverage off each other in terms of common solutions.

The Solution:

The proposal to use Agile practices within the Internal Audit department was inspired by the very projects that were being audited. As the majority of projects at Suncorp are delivered using Agile, the Internal Audit department took many of these practices, and began to apply them internally. For example:

The regular Stand-up: Holding a weekly Stand-up meeting provided a regular opportunity to reflect on the team’s progress towards delivering the Audit Plan. It is a forum to discuss each audit: what was achieved during the past seven days, to set goals for the next seven days, and to highlight any risk, blockers or challenges.

Burndown Charts: The use of Burndown Charts to measure, and report, on progress, helped shift the mentality to value delivered, rather than time spent.

Retrospectives: These replaced the traditional post-implementation review of audits, as well as some aspects of the individual performance reviews after audit jobs. Retrospectives now include auditees as well, to support creation of a continuous learning and improvement culture within the team.

Kanban Boards: Central to the use of Agile within Internal Audit, the physical ‘Journey Board’ is a visual representation of how the team is progressing on the delivery of the Annual Audit Plan. It provides a means for the whole team to review the status of Internal Audit’s progress overall, at a team, portfolio and individual level.

Where appropriate, these practices were refined, to ensure they aligned to audit processes, while remaining true to the Agile principles.

The physical Journey Board defines the four states that each audit passes through, for example; Planning, Fieldwork, Response and Final. To move from one state to the next requires that the audit meet clearly defined deliverables, called ‘Toll Gates’. In order to reinforce these deliverables, the Toll Gates, and associated criteria, are physically printed on the Journey Board. Audits can only be moved through these Toll Gates during the stand-up, which is important to ensure appropriate rigour in the audit process.

The Toll Gates between states are as follows:

Planning to Fieldwork: Purpose of Audit defined through focusing questions, and agreed with audit team and auditees. Entrance meeting held, and Audit underway.

To measure progress, each time an audit passes through a ‘Toll Gate’, it accrues points, based on the number of days assigned to the Audit, weighted by the gate passed. This measure of velocity can be visualised on the Burndown Charts, and can then be broken down into points per portfolio, and points per Audit Leader.

The Implementation:

The adoption of Agile practices was relatively smooth, as there was already a culture of Agile emerging across the Suncorp Group. In this environment, it was initially decided to minimise the use of formal training, and rely on experience, and experimentation, to drive the understanding of Agile within the team, and use the wisdom of the crowd by leveraging the project team resources audit works with.

The transition was led by a core of ‘champions’ who were responsible for creating the initial Agile environment, and adjusting it as required. The team took a relatively direct approach to the transition:

The first step was to implement the process changes, e.g. the ‘Journey Board’, approximately 100 audits for the year were installed overnight, by a few enthusiastic team members.

This led, naturally, to changing the way the team reported on the progress of audits, through the use of burndown charts.

Finally, with the process changes underway, many of the cultural changes could be implemented. For example, the way in which the department recognised the achievements of the auditors and teams, and fostering a culture where it is OK to call out blockers/challenges, and ask for assistance of the team where required.

Over time, the new audit processes have continued to evolve, as the team learnt what worked and what didn’t.

The Challenges:

It was recognised early on that effectively embedding Agile principles into the way the team worked, required a cultural change. Most of the audits undertaken had fixed constraints, such as budgeted time, and fixed ‘Toll Gates’ imposed on them. The trick was being Agile within these constraints (and knowing what the constraints were). The approach to this was to create, and communicate, a hybrid between ‘old’ expectations and structures, and the new.

The criteria that needed to be met to pass each of the Journey Board Toll Gates, were originally very detailed. This made the process complex and confusing, especially during the transition to agile practices. To resolve this, the number of criteria on each Toll Gate was reduced to one or two, focusing on the deliverables required at each Toll Gate.

While there were many auditors who were enthusiastic about the transition to Agile, some had heard incorrect comments that Agile meant removing the need for budgets, and other fixed constraints. Others were wary, and felt that this approach was inappropriate for Internal Audit, or trivial.

Although artefacts, such as story walls and burn-up charts, were introduced, there was an initial period where auditors were uncomfortable in using these artefacts to manage their audits, or with raising issues and blockers in front of their peers at stand-ups. This was overcome by walking the talk, i.e. demonstrating open communication, and the benefits of flexible and open Agile practices, until it become the norm and new habits were established. It is hard to imagine, now, any other way of working!

Finally, a common misconception was that the Agile principle of transparency would conflict with the confidential nature of internal audits. However, the adherence of the key Agile principles of trust and discretion within the team, managed this potential issue.

The Outcomes:

Overall, the transition to Agile has transformed the way that Internal Audit operates, and made delivery of audit work more transparent and efficient. It has also made what can be traditionally a heavily, structured process, more fun – encouraging open communication and personal interaction.

There has also been a change in the way that Internal Audit managers operate. Managers have shifted to more of a coaching role for the team – emphasising the shared goal of delivering value, and trusting the auditees to self-organise, to deliver the required outcomes.

People outside the Audit team (with perhaps a misperception about the nature of the Audit business) have been surprised, and delighted, about Audit’s adoption of Agile. It has also made Auditing Agile projects much more collaborative, transparent and effective. By speaking the same language as the Agile projects, the Internal Audit team is better able to assess the effectiveness of Agile practices in the projects they audit. Finally, it has also allowed more flexibility when it comes to scheduling and responding to changes.

Adam Spencer is a technology executive with international banking experience and success in program delivery, IT service management, risk management and innovation. His experience includes finance, vendor management, security, agile and leadership of large multinational teams at companies, such as Standard Chartered Bank, KPMG and Suncorp.